You are previewing Moodle Security.
O'Reilly logo
Moodle Security

Book Description

Learn how to install and configure Moodle in the most secure way possible

  • Follow the practical examples to close up any potential security holes, one by one

  • Choose which parts of your site you want to make public and who you are going to allow to access them

  • Protect against web robots that send harmful spam mails and scan your site's information

  • Learn how to monitor site activity and react accordingly

  • In Detail

    Moving your classes and resources online with a Learning Management System such as Moodle opens up a whole world of possibilities for teaching your students. However, it also opens up a number of threats as your students, private information, and resources become vulnerable to cyber attacks. Learn how to safeguard Moodle to keep the bad guys at bay.

    Moodle Security will show you how to make sure that only authorized users can access the information on your Moodle site. This may seem simple, but, every day, systems get hacked and information gets lost or misused. Imagine the consequences if that were to happen in your school. The straightforward examples in this book will help you to lock down those access routes one door at a time.

    By learning about the different types of potential threat, reading this book will prepare you for the worst. Web robots can harvest your e-mail addresses to send spam e-mails from your account, which could have devastating effects. Moodle comes with a number of set roles and permissions – make sure these are assigned to the right people, and are set to keep out the spam bots, using Moodle's authentication features. Learn how to secure both Windows and Linux servers and to make sure that none of your system files are accessible to the wrong people. Many of the most dangerous web attacks come from inside your system, so once you have all of your security settings in place, you will learn to monitor user activity to make sure that there are no threats from registered users. You will learn to work with the tools that help you to do this and enable you to back up your settings so that even a crashed system can't bother you.

    Protect your students and staff by securing Moodle to prevent online attacks and hacks

    Table of Contents

    1. Moodle Security
      1. Moodle Security
      2. Credits
      3. About the Author
      4. About the Reviewers
      5. www.PacktPub.com
        1. Support files, eBooks, discount offers, and more
          1. Why Subscribe?
          2. Free Access for Packt account holders
      6. Preface
        1. What this book covers
        2. Who this book is for
        3. Conventions
        4. Reader feedback
        5. Customer support
          1. Errata
          2. Piracy
          3. Questions
      7. 1. Delving into the World of Security
        1. Moodle and security
          1. Weak points
        2. The secure installation of Moodle
          1. Starting from scratch
            1. Installation checklist
        3. Quickly securing Moodle
          1. Review the Moodle security overview report
        4. Summary
      8. 2. Securing Your Server Linux
        1. Securing your Linux—the basics
          1. Firewall
          2. User accounts and passwords
          3. Removing unnecessary software packages
          4. Patching
        2. Apache configuration
          1. Where to start
          2. Directory browsing
          3. Load only a minimal number of modules
          4. Install and configure ModSecurity
        3. MySQL configuration
        4. PHP configuration
          1. Installation
        5. File security permissions
          1. Discretionary Access Control—DAC
            1. Directory permissions
          2. Access Control Lists
          3. Mandatory Access Control (MAC)
        6. Adequate location for a Moodle installation
        7. How to secure Moodle files
          1. DAC
          2. ACL
        8. Summary
      9. 3. Securing Your Server—Windows
        1. Securing Windows—the basics
          1. Firewall
          2. Keeping OS updated
            1. Configuring Windows update
          3. Anti-virus
          4. New security model
        2. File security permissions
          1. Adequate location for Moodle installation
        3. Installing and securing PHP under Internet Information Server
          1. Preparing IIS
          2. Getting the right version of PHP
          3. Configuring php.ini
          4. Adding PHP to the IIS
            1. Creating Application pool
            2. Create new website
            3. Adding PHP mapping
        4. Securing MySQL
          1. MySQL configuration wizard
          2. Configure MySQL service to run under low/privileged user
            1. Create a mysql account
        5. Summary
      10. 4. Authentication
        1. Basics of authentication
          1. Logon procedure
        2. Common authentication attacks
          1. Weak passwords
          2. Enforcing a good password policy
          3. Protecting user logon
            1. Closing the security breach
          4. Password change
            1. Recover a forgotten password
              1. Preventing a potential security risk
              2. Securing user profile fields
          5. User model in Moodle
        3. Authentication types in Moodle
          1. Manual accounts
          2. E-mail based self-registration
            1. Specifying allowed or denied e-mail domains
            2. Captcha
            3. Session hijacking
          3. No login
        4. Summary
      11. 5. Roles and Permissions
        1. Roles and capabilities
          1. Capability
          2. Context
          3. Permissions
          4. Role
          5. How it all fits together
        2. Standard Moodle roles
        3. Customizing roles
          1. Overriding roles
        4. Best practices
          1. Risky capabilities
        5. Summary
      12. 6. Protection Against Bots
        1. Internet bots
          1. Search engine content indexing
          2. Harvesting email addresses
          3. Website scraping
          4. Spam generators
        2. Protecting Moodle from unwanted search bots
          1. Search engines
          2. Moodle and search engines
          3. Moodle access check
        3. Protection against spam bots
          1. User profiles
          2. E-mail-based self-registration
          3. User blogs
          4. Moodle messaging system
          5. Cleaning up spam
        4. Protection against brute force attacks
        5. Summary
      13. 7. Securing User Files
        1. Uploading files into Moodle
          1. How Moodle stores files
          2. Points of submitting user files
            1. WYSIWYG HTMLArea editor
            2. Upload single file simple/advanced assignment
            3. Forum
            4. Database activity
        2. Dangers and pitfalls
          1. Classic viruses
          2. Macro viruses
            1. Applying protection measures
              1. Disable WYSIWIG editor if you do not need it
              2. Enable file upload in forums only when you really need it
        3. Anti-virus and Moodle
          1. ClamAV on Linux
            1. Configuring Moodle
          2. ClamAV on Windows
            1. Downloading
            2. Configuring clamd service
            3. Setting up virus signature database update
            4. Scheduling updates
            5. Final steps
        4. Summary
      14. 8. Securing Moodle Data
        1. User information protection
          1. User profile page
            1. Reaching profile page
              1. People block
              2. Forum topics
              3. Messaging system
            2. Protecting user profile information
              1. Limit information exposed to all users
              2. Completely block ability to view profiles
                1. Disable View participants capability
                2. Hide messaging system
                3. Disable Messaging system
                4. Not using general forums
                5. Disable View user profiles capability
        2. Course information protection
          1. Course backups
            1. Important information for users of Moodle prior to 1.9.7
              1. Password hashes and salt
              2. Enable password policy
              3. Enable password salt
              4. Disable teacher's ability to back up and restore courses
            2. Security issues with course backups
            3. Scheduled backups
        3. Summary
      15. 9. Monitoring User Activity
        1. Activity monitoring using Moodle tools
          1. Moodle log
          2. Accessing the Moodle reports
          3. Logs report
            1. IP address look up page setup
            2. Configuring Moodle to use GeoIP database
          4. Live Logs report
          5. Statistics report
          6. Moodle cron
            1. Moodle cron on Windows
            2. Moodle cron on Linux
            3. Enabling statistics report
        2. Activity monitoring using OS native tools
          1. Linux
            1. Server load
            2. Disk space
            3. Web server load
            4. Web server statistics
              1. Configuring The Webalizer
          2. Windows
            1. Server load
              1. Task manager
              2. Performance and Reliability Monitor
              3. The Webalizer on Windows
        3. Summary
      16. 10. Backup
        1. Importance of backup
        2. Backup tools in Moodle
          1. Manual backup
          2. Automatic backup
            1. Content export options for automatic backup
            2. Execution configuration options
            3. When to use Moodle automated backup
        3. Site backup
          1. Database
            1. Server log
              1. Linux
              2. Windows
            2. Automating database backup—Linux
              1. Backup script explanation
            3. Automating database backup—Windows
            4. Restoring database
          2. Moodledata directory
            1. Linux
            2. Windows
          3. Moodle directory
        4. Disaster recovery scenario
        5. Summary
      17. A. Authentication Plugins
        1. Plugins less common in production servers
          1. LDAP server
            1. Configuring LDAP PHP extension
          2. CAS server
          3. FirstClass server
          4. IMAP server
          5. Moodle network authentication
          6. NNTP server
          7. No authentication
          8. PAM (Pluggable Authentication Modules)
          9. POP3 server
          10. Shibboleth
          11. Radius
        2. Summary